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Abstract 

q \ On information security outsourcing market, an important reason that firms do not want 

to let outside firms(usuaHy called MSSPs-Managed Security Service Providers) to take care 
— . of their security need is that they worry about service quality MSSPs provide because they 

cannot monitor effort of the MSSPs. Since MSSPs action is unobservable to buyers, MSSPs 
^ ' can lower cost by working less hard than required in the contract and get higher profit. In the 

O ■ asymmetric information literature, this possible secret shirking behavior is termed as moral 

hazard problem. This paper considers a game theoretic economic framework to show that 
| under information asymmetry, an optimal contract can be designed so that MSSPs will stick 

to their promised effort level. We also show that the optimal contract should be performance- 
""^ . based, i.e., payment to MSSP should base on performance of MSSP's security service period 

^ | by period. For comparison, we also showed that if the moral hazard problem does not exist, the 

optimal contract does not depend on MSSP's performance. A contract that specifies constant 
^ . payment to MSSP will be optimal. Besides these, we show that for no matter under perfect 

information scenario or imperfect information scenario, the higher the transaction cost is, the 

lower payment to MSSPs will be. 

Keywords: outsourcing, information security, managed security service providers, economics of 
information security 



1 Introduction 

Security outsourcing market where firms contract with outside information security vendors to 
meet their organizational demands has been growing at a double digit rate for the past 3 years, and 
experts predict that this growth rate will continue through 2008[7|. Compared with the booming 
of the business, theory of security outsourcing is less developed. In view of this both buyers and 
MSSPs need to strategically understand the nature of this market. 



Information security outsourcing is different from traditional outsourcing because information 
security is different from durable goods and other services outsourced such as payroll and account- 
ing. As more and more firms automate processes, servers and the networks work like the brains 
and vessels of a firm. If any core system go down, the cost may be large due to lost data and lost 
revenue. What makes it worse is that security breaches are irreversible. While defects in manu- 
facturing can be returned or wrong paychecks can be reissued, monetary loss due to down time 
is gone forever, and lost customer confidence may be hard to gain back. Therefore, while most 
industries put cost saving as the primary reason they outsource business processes other than se- 
curity, firms that outsource information security state service quality is their primary motivation. 
This is supported by a survey by Jeffrey Kaplan published in Business Communication Review 
(2003) lfTO"ll . It is reported that 40.6% of the firms outsource network operations based on concerns 
for service quality. 

Information asymmetry is another reason that firms have concerns outsourcing their security. 
Since buyers cannot observe and monitor MSSPs' action, MSSPs, as profit maximizing companies, 
have an incentive to lower their effort level to reduce cost. 

The model we present is a model where buyers and MSSPs engage in a repeated game with 
infinite horizon where MSSPs' effort level in not observable to buyers. We show that under this 
information asymmetry, moral hazard problem will occur. Performance based contracts are rec- 
ommended to avoid such moral hazard problem. 

For comparison, we also provide results under perfect information, where buyers can have all 
information they need and shirking is not an option for MSSPs. Under the scenario of perfect 
information, the optimal solution(in terms how the contact is written) is a price-only contract. 
This solution is called first best because no deadweight loss is incurred under perfect information 
assumption. 

Besides the optimal contract form, we are particularly interested in the effect of transaction 
cost on market equilibrium price. Transaction cost includes all cost spent on searching for, arguing 
and executing contracts with MSSPs[4|. We argue in section (l3.2l) transaction cost can be very 
high in outsourcing non traditional services such as security because standard rules and procedures 
have not been established yet. We show that when transaction cost increases, price of security 
outsourcing will be lowered. 

There is a large body of literature on IT outsourcing, including information security outsourcing 
as a sub-category. Ang and Straub (1998)[ 1 1 did an empirical study on the U.S. banking industry 
and showed IT outsourcing is strongly influenced by the production cost advantage offered by IT 
service vendors. Transaction cost also influences outsourcing decisions with a much smaller effect. 
Though their result is based on data of US banking system, this result is probably true in a lot of ar- 
eas outside the banking system. Based on their result, we will assume decrease in production cost 
out-weight increase in transaction cost throughout this paper. Lacity and Willcocks ' ( 1 99 8 ) ifTTIl use 
US and UK organizations survey data and provide empirical evidence that the following practices 
are recommended to achieve cost saving expected: selective outsourcing, senior executives and 
IT manager make decisions together, invite both internal and external bids, short-term contract, 
detailed fee-f or- service contract. This paper will provide theoretical support for the last practice. 
Mieghem (1 999)[ 12 1 builds a game theoretic model on production outsourcing where investment 
decision has to be made before market demand is revealed. After market demand is revealed, the 
firm's production is limited to its investment level, and will use outside production(outsource) to 
meet excess demand. His paper studies three kinds of contracts 1), price-only contract, 2),incom- 
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plete contract and 3), state-dependent contract. He shows that only state-dependent contract is 
optimal in the sense that it eliminates all decentralizing cost 1 His paper is related to security out- 
sourcing because in security outsourcing, an implicity assumption of centralized economy is that 
all participants will work diligently. Therefore, with moral hazard problem, decentralization cost is 
caused by the possibility that MSSPs may shirk. This paper will investigate why state-contingent 
contract is preferred to non state-contingent contract from a information economics point of view. 
We argue that state-contingent contract is the optimal contract form when there is moral hazard 
problem. 

The rest of this paper is organized as follows: In Section 2 and 3, we contrast information 
security outsourcing with other types of outsourcing. Next we set up an outsourcing model with 
perfect and imperfect information to discuss what optimal contract look like and what is the effect 
of transaction cost on prices in Section 4. In Section 5, related work on this topic is summarized. 
We end with a summary and conclusions in Section 6. 

2 Outsourcing Theory 

Outsourcing is defined as 'all the subcontracting relationships between firms and the hiring of 
workers in non-traditional jobs' (Heshmati 2003)|9|. Business Process Outsourcing (BPO), which 
includes outsourcing of human resources, finance and accounting, procurement, shared services, 
billing, customer care and so on, is estimated to grow at a 9.5% compound annual rate through 2007 
reaching $173 billion by Gartner lfTTI . IT Outsourcing (ITO) is expected to grow at a compound 
rate of 7.2% through 2008 reaching $253.1 billion in 2008[3|. Furthermore, Information security 
outsourcing is predicted to grow from $4.1 billion in 2001 to $9.0 billion in 2006, a compound 
growth rate of double digits Q. 

Behind this booming of outsourcing, the basic force is 'cost efficiency'. As markets become 
more competitive, outsourcing is an essential way firms may reduce costs. By using information 
security outsourcing, firm only need to pay a fraction of their in-housing cost for outsourced secu- 
rity. Outsourcing can reduce cost either because suppliers has lower input costs and/or larger scale 
of production as in the case of offshore manufacturing outsourcing; or because the suppliers have 
expertise or more advanced technology as in payroll and IT outsourcing. However, at the same 
time of reducing production cost, buyers incur transaction costsH searching for, signing, and ex- 
ecuting contracts with suppliers. In the case of total outsourcing, when firms keep no in-house 
production, firms also lose sunk costs 2 , which can be machines and plants that can only be used to 
produce the outsourced product or can be money spent on training technicians. 

If cost reduction is the only concern for firms, firms will outsource when reduction in produc- 
tion cost exceeds increase in transaction cost. In standardized outsourcing procedures such as pay- 
roll and manufacture goods, transaction cost has been reduced as Coase[4 1 predicted 'This(transaction) 
cost may be reduced but it will not be eliminated by emergence of specialist. . .'. It is argued that 
transaction cost is some percentage of the contract value since the larger the project, the greater ef- 

1 centralized economy system assumes there is a social planner who make decision by pooling all available re- 
sources from different firms. Decentralized economy system is one where firms make their own decision using indi- 
vidual resources. It can be shown that outcome of centralized economy weakly dominates outcome of decentralized 
economy. Difference between the two is decentralization cost. 

2 Firm's investment specific to the outsourced process 



fort firms will spent on searching for a proper MSSP and the more coordination is needed between 
firm and MSSP after signing the contract. 

The second outsourcing incentive is firms will be able to concentrate on their core competence 
by outsourcing support/routine functions. For example, although a lot computer companies are 
based in the U.S., most keyboards are produced in Asia. By outsourcing labor intensive processes 
to areas that are abundant in labor, firms achieve cost reduction and become more focused on core 
competence. 

Yet another key reason for outsourcing is to obtain higher quality. Outside companies accu- 
mulate more experience by specializing in certain processes. They can afford larger investment 
on R&D to get updated technology and skills and better trained expertise. A large client base 
also contributes to the quality of goods and services of outside producers and service providers. 
They gain experience and knowledge by serving varied clients. Consulting, for example, the ser- 
vice providers have professional knowledge that a non-consulting firm can never afford to build by 
itself. 

Argument against production outsourcing concerns unemployment issue as in off-shore out- 
sourcing: while argument against security outsourcing focus on transaction cost control and ser- 
vice quality monitoring. We will analyze these two concerns on information security outsourcing 
in detail in the following section. 

3 Security Outsourcing: What is Special? 

In spite of all the advantages outsourcing may bring, some people think security should not be 
outsourced, or firms should be really careful when doing so. 

3.1 Quality Measurement Difficulty 

Security management is an art rather than science where we know how to achieve a best solution; 
here we do not even know what the best solutions are, nor do MSSPs. A security system can be 
a very complicated project. People may think that they are safe with firewalls and IDSs. Even so, 
firms have to decide which firewalls and IDSs to buy, how to allocate limited budget on combi- 
nation of these devices to reach maximum level of security and how to manage these devices and 
tune them so that they secure your system enough and do not give too many alerts on harmless be- 
haviors. The bright side is MSSPs are gaining experience on these issues quickly by their devotion 
and specialization in this area. 

However, people argue that it is hard to evaluate products and services of MSSPs both ex ante 
and ex post. As security outsourcing market becoming prominent over the last few years; a large 
number of MSSPs emerged from diversified backgrounds. The largest ones include firms formed 
solely to solve internet security problems such as Counterpane, firms from research and computer 
production such as IBM, anti virus companies such as Symantec, firms from internet providers 
such as AT&T and so on. This diversification in background reflects on their diversified product 
and services making it really hard for the firms to compare and choose from them. (See appendix 
I for major MSSPs and their products.) 

Also, evaluating MSSPs' products by performance of their products is tricky because the out- 
come is highly random and can even be misleading. A better secured system may be down because 



of intensive attacks; systems that ignore patching notices from time to time may go well for a long 
time. On the other hand, it is not true that the more money spent on security, the fewer bleaches a 
system will have. Sophisticated hackers are more attracted to systems that are hard to break into. 

However, a 'better' secured system should be less vulnerable in statistical sense in the long run. 
This paper will use expected performance to evaluate a security system. We assume buyers have 
access to historical data of MSSP's service performance, and can generate a distribution of benefit 
from using security outsourcing. 

3.2 Effective Cost Reduction? 

Based on a survey on IT managers, directors and other decision makers from both firms that out- 
sourced security and those who did not, cost reduction remains their focus ifTOll . 

There is evidence that security outsourcing will reduce production cost. Device management 
for example, which tunes and monitors firewalls, IDSs and runs vulnerability testing, a security 
personnel cost$8,000 to $16,000 per month. And to get 24*7 support, this figure may need to be 
more than tripled. For the same functions, MSSPs charge between $600 and $4,000. For network 
monitoring, Counterpane, one of the most successful MSSPs, claims that it only charges a fraction 
of the money for net management a firm need to spend to do the security in house: 'From an 
annualized basis, its going to cost you $1 million to $1.2 million just to look at the sam information 
we monitor, and our average contract ranges from $40,000 to $150,000 a year — between 4% and 
10% of what it would cost to do yourself . . .' |[P31 . 

However, although security vendors' may provide huge reduction in production cost, transac- 
tion cost may be quite high. Since standard measure for security services has not been established 
and each MSSP uses their featured(different) technology, most of the time it is very hard to do 
comparison across different MSSPs. This quality measurement difficulty may increase transaction 
cost potentially [fT31l . 

Also, writing up the contract and decide who is responsible for what kind of losses due to 
security breaches can be painful. Firms would feel more comfortable if security vendors can take 
responsibility if losses occur. But it is not always the security vendor's fault because no matter 
how well security devices are designed and tuned, there is always probability that the system is 
broken into. More tricky things can be if security vendors take responsibility for the losses, firms 
may not play due diligence as they should. Therefore, although this paper is devoted to discussion 
of MSSPs' moral hazard behavior, the optimal contract needs to guard against firms' moral hazard 
behavior as well, which may increase transaction cost significantly. Therefore although we will 
assume that transaction cost is lower than reduction in production cost, effect of transaction cost 
needs to be further explored. 

4 The Model 

Based on above observation of how security outsourcing is special, We set up the model in the 
following way. 

There are two sides on the security outsourcing market: potential security service buyers ("buy- 
ers" for short), and security vendors(MSSPs). Vendors and buyers all seek to maximize their indi- 
vidual profit. 



Basic assumptions are: 

• Al : Vendors are more cost efficient than firms; transaction cost is lower than production cost 
advantage. 

• A2: Services provided by different security vendors are imperfect substitutes 3 . 

• A3: Buyers do not have moral hazard problem. 
In the following three subsections, we show that: 

1. With imperfect information, we have moral hazard problem on MSSP side. Optimal contract 
depends non-trivially on MSSPs performance. 

2. With perfect information, optimal contract is a price-only contract. 

3. With either perfect information or imperfect information, price is decreasing on transaction 
cost. 

4.1 Optimal contract with imperfect information 
— Performance based contract 

Due to imperfect information, actions of the players are not directly observable. Both MSSPs and 
security buyers can disobey their promises secretly. In this paper, we focus on how to avoid moral 
hazard behavior of MSSPs, and assume buyers will always follow the contract as it is. The optimal 
contract will be such that following the contract is the best choice for both players. We temporarily 
assume transaction cost is zero in this section. 

Our analysis is based on principal-agent problem with infinite horizon following Spear and 
Srivastava()[ 18 1, where agent's action is not observable to principal, principal is assumed to be risk 
neutral 4 and agent risk averse 5 . Here, MSSP is agent to principal buyer. We are allowed to assume 
security buyer is risk neutral because security buyers have access to insurance market and can buy 
insurance to mitigate risks that MSSPs cannot eliminate. However, the risk neutral assumption is 
not essential to the result. We can discuss risk averse buyers but it only make the mathematics 
more complicated without accomplishing anything. So we just keep the simple assumption that 
buyers are risk neutral. 

Denote buyer's period t benefit(before payment to MSSP) from security outsourcing as y t . 
Because of the random nature of cyber attacks, y t is a random variable. Denote MSSP's effort level 
in period t as a t , a t e [a, a] . Then distribution of security service performance y t is conditional on 
MSSP's effort a t . Denote the distribution as f(y, a t ). Pt denotes buyer's compensation(price) to 
MSSP in period t. History up to period t is denoted as: h t = {y t , yt-i, ■ ■ ■ , yo}- 

A price contract is composed of MSSP's effort level and price buyer pays to MSSP: {a t (ht-i), P t (h t )}. 
Notice that MSSP's period t effort level a t depends only on history up to period t-1, since MSSP 
has to choose his effort level at beginning of period t before period t benefit y t is realized. Payment 
to MSSP in period t however depends on the whole performance history. 

3 imperfect substitutes are goods that are not identical but have similar functions, e.g. lap-top and desk-tops. 

4 A risk neutral player only cares about average payoff. 

5 A risk averse player gets lower utility if variance of his payoff increase 
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Let u(Pt) — 4>{o>t) be net payoff to MSSP under contract {a t (h t -i), Pt(ht)}, where u(P t ) is 
MSSP's utility from payment P t and 4>(a t ) measures cost of working at effort level a t . We assume 
u' > 0, u" < 6 and <// > 0. History h t evolve recursively by the following probability rule: 

n(ht\ht-i) = f(y t ,at(ht-i))n(ht-i) (1) 

Assume buyers and MSSP discount future payoff at same rate p, p E [0, 1], then buyer and 
MSSP's period t expected payoff are J(y t — P t )f(y t \a t )dy t and u(P t ) — <fi(a t ): 

Discount all future payoff to period 0, we have buyer and MSSP's period discounted payoff 

as: 

oo „ 

B t (P t , a t ) = YjY. P'i (Vt ~ p t)f{Vt, a t )dy t ]7r(h t+j , a t+j \h t ) (2) 

j=0 

oo 

M t {P u a t ) = J2Y,P i M p t)- ( f ) ( a t)]n(h t+J ,a t+ 3\h t ) (3) 

j=0 h*+3 

Therefore, the maximization problem for security buyer is to choose a sequence of contracts 
{P t {y), atj^o to maximize discounted expected utility subject to the constraint that MSSP cannot 
benefit from deviating from the contract: 

max B t (P t (y),a t ) 

st M t (P t (y),a t )>M t (P t (y),a t ) \/a t e[a,a] (4) 

where, constraint in above maximization problem is called the incentive compatibility(IC) con- 
straint. It show that the effort level a t is optimal for MSSP compared to any other possible effort 
level a t . 

Since the above problem has infinitely unknown variables, it is impossible to solve it directly. 
Instead, we rewrite it in the recursive form. 

In the recursive form, principal maximize current period's payoff assuming he will behave 
optimally from next period on. Let v denote payoff buyer promised to MSSP this period and w(y) 
denote the promised payoff to MSSP next period. K{v) be maximized payoff to buyer when MSSP 
gets v as promised expected payoff. Hence, K(w(y)) is buyer's best possible payoff next period. 
Then the maximization problem in recursive form is: 



K(v) = max [y - P(y) + pK(w(y)))f{y,a)dy 

st J[u(P(y))+pw(y)}f{y,a)dy-<P{a)>v (PK) 

a e argmax / [u{P{y)) + pw(y))f(y, a)dy - <j>(a) (IC) (5) 

The optimal contract should contain {P(y),w(y), a}. (PK) is short for "promise keeping". It 
requires that if buyer promised MSSP payoff v, the contract should guarantee expected payoff to 
MSSP is at least v(equal to v in equilibrium). (IC) constraint is same as in ©. 
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u < comes from risk averse assumption. 
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The (IC) constraint implies the solution a should satisfy both the following first order condition 
and second order condition: 



(FOC) J [u{P(y)) + pw(y))fa(y, a)dy - cj>'{a) (6) 

(SOC) J [u(P(y)) + pw(y)]f aa (y, a)dy - 0» < Vw(y) (7) 

Assumption: 

• Convexity of distribution function condition(COFC): 

F aa > (8) 

where F(x, a) = fZ^ f(y, a)dy 

Rogerson(1985)| 16 1 shows that when COFC is satisfied, (SOC) is guaranteed. We can use 
(FOC) to substitute (IC) constraint and get rid of the (SOC). 

Let A be Lagrangian multiplier on (PK) constraint and /i be the multiplier on (IC)-(FOC) con- 
straint. We have the Lagrangian equation: 



[y - P(y) + pK(w(y))]f(y,a)dy 
+A( J [u{P(y)) + pw{y))f{y, a)dy - 0(a) - v) 
+«( / [u(P(y)) + pw(y)]f a (y, a)dy - 0'(a)) (9) 



Take first order conditions w.r.t P(y),w(y) and a, we get the following first order conditions 
and the envelope condition: 

{P{y)} -1 + Xu'(P(y)) + tf(P(y))M^ = (10) 

{w(y)} p K\w(y))+p\ + f,pf^l = (11) 



{a} J[y-P{y)+pP{w{y)]f a {y,a)dy 

+p[ J [u(P(x)) + pw(y)]f aa (y, a)dy - </>»] = (12) 
{ENV} K'(v) = -X (13) 

First order conditions (flOl and (fTTT) implies: 

1 -K\w{y)) = X + p f 4 h 4 (14) 



u'{P{y)) v yaJJ ^f(y,a) 

Definition: MLRP(monotone likelihood ratio property) 



8 



• Likelihood ratio y^y- is monotone in y or J^[ %^f ] > 0. This also implies: Wa > a,y > 

/(§,<*) - /(y,a)- 

Intuitively, this means at a higher effort level a, it is more probable to get a higher benefit y 
than at a lower effort level a. 

Rogerson(1085)| 16 1 shows that when the density function f(y,a) has monotone likelihood 
ratio property, /i the multiplier on (IC) constraint is positive. 

When MLRP holds, fj, > 0, equation (fl4l) implies the following results: 

Result 1 y]^ 17 ^ m 1=> P{y) I 
Reason: u"{P{y)) < 

This result suggests contacts should be performance-based, i.e. payment to MSSP should be 
higher when benefit from security outsourcing increases and vice versa. And this supports 
empirical result of Lacity and WillcockC 1998") [fTTl . 

Result 2 y t=* K'(w(y)) l=> w(y) | 

Reason: K(w(y)) is best possible payoff of buyer next period when MSSP's expected pay- 
off is w(y). Since MSSP's payoff comes from compensation P(y) from buyer, the higher 
MSSP's payoff w(y) is, the lower buyer's pay off K(w(y)) will be. 

This result suggest buyer should reward MSSP with higher expected payoff for next period 
if buyer gets high benefit this period. 

Result 3 v |=> A |=>- P(y),w(y) | 

Reason: v |=>- A | from the envelope condition (ENV). A |=>- P(y),w(y) | follows from 
equation (fl4ll . 

This result shows that if buyer promise MSSP a higher current expected payoff, buyer should 
increase both current period compensation and next period promised expected payoff. 

To sum up, from Result 1 - 3, we suggest that optimal contract under moral hazard should 
depend on performance in a non-trivial way. And effect of performance is persistently on future 
compensations. The effect is carried over by promised value v and w(y) as shown in Result 2 and 
3. 



4.2 Optimal contract with perfect information 
— price only contract 

With perfect information, buyer can monitor MSSP's behavior very well. Then MSSP is not able to 
shirk and moral hazard problem does not exist. In this scenario, Maximization problem of buyer© 
reduces to: 

K{v) = max [y - P(y) + pK(w(y))]f{y,a)dy 

P{y),w(y),a J 

st J [u(P(y)) + frw(y)]f(y, a)dy - 0(a) > v (PK) (15) 

Corresponding first order conditions are: 

{P(y)} -l + Xu'(P(y)) = (16) 
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{w(y)} P K'(w(y)) + pX = (17) 

M j[y- P(y) + pP(w(y)]f a (y, a)dy = (18) 

{ENV} K'(v) = -X (19) 



Equation [16] and <TTvT> imply: 



u'{P{y)) 



-K'{w{y)) = X (20) 



This suggests that without moral hazard problem, optimal compensation and next period promised 
value does not depend on this period's outcome y. Constant compensation and promised value 
would be optimal. 

4.3 Effect of transaction cost 

4.3.1 Effect from game between buyer and MSSP 

In this section, we will study how transaction cost affects equilibrium market price. No matter 
whether buyer has perfect information about MSSP's effort level or not, existence of transaction 
cost reduces buyers compensation to MSSP. 

As in section d4.il) . we use P(y) to denote buyer's compensation to MSSP. Since buyers will 
also need to pay transaction cost on top of service price, the actual out of pocket price buyers of 
MSSP face is (1 + a)P(y), where aP(y) is the transaction cost 7 . 

With transaction cost, we modify the maximization problem of buyer as: 

K{v) = max f[y - (1 + a)P{y) + pK{w{y))]f{y,a)dy 
st I [u(P(y)) + pw{y)]f{y, a)dy - 0(a) > v (PK) 

a G argmax J [u(P(y)) + pw(y)]f(y,a)dy - <f)(a) (IC) (21) 

Corresponding first order conditions are: 

{P(y)} -(1 + a) + Xu\P{y)) + p U \P{y)) f -j^ = (22) 

{w(y)} p K'(w(y)) + pX + pp^^l = (23) 



{a} J[y- P(y) + P P(w(y)]f a (y, a)dy 

+p[ J [u(P(x)) + pw(y)]faa(y, a)dy - c/>"(a)] = (24) 
{ENV} K'(v) = -X (25) 



transaction cost is modelled as a percentage of contract value because as the project gets larger, buyer and 
vendor need to spend more time and money on the negotiation and coordination part [?]. A Survey done by 
Barthelemy(2001)|2| shows that transaction cost is up to 6% for contracts lower than $10million value 
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From first order conditions d22l we have 



u'(P(y)) 



l + a 



A + fi 



fa(y,a>) 
f(v,a) 



(26) 



Similarly, under perfect information, we have: 



l + a 



A 



(27) 



u'(P(y)) 



Compare with equation (fT4l and equation d^Ub . it can be implied that all other things same, 
compensation P(y) is smaller with transaction cost. 

4.3.2 Effect from game among MSSPs 

Another effect of transaction cost on market price comes from competition among MSSPs. This 
effect also suggests when transaction cost increase, nominal market price will decrease. 

• A3: Vendors engage in a price competition against each other. 

We will derive the Nash Equilibrium 8 ! 14 1 price under the assumption A1-A3. For this section, 
to see effect of MSSPs' competitions, we ignore effect of buyers, and assume perfect informa- 
tion's shown in section (l4.2l) . optimal contract specifies a non-performance-dependent price, P(y) 
is replaced with P). We will show that MSSPs will lower price to bear part of the transaction cost 
due to competition with other MSSPs. Division of the transaction cost between buyers and vendors 
depends on demand elasticity for security products. 

A price competition is where every MSSP uses price as a strategic variable, and is free to choose 
a price that maximizes their profit given price of other vendors. Explicitly, profit maximization 
problem for vendor i is: 



P denotes the price vector {P l , i = 1, . . . ,V} = {P\ P~ 1 }, where P l is market price MSSPi 
charges. P~ % is the price vector of prices of all other MSSPs except MSSPi charges. N l is demand 
for MSSPi's service, which depends on market prices. It also depends on service quality MSSPs 
provide implicitly. C % is MSSPi's total cost of servicing N l customers. Then the above maximiza- 
tion problem shows how MSSPi maximize its net profit(revenue minus cost) by choosing P % when 
other vendors charge price P~ % '. 

C l includes both fixed cost(FC) which does not change with number of customers and variable 
cost(yC) which does. Explicitly, 



C(-) increases with number of customers. 

8 A strategy vector x with payoff vector 7r is called a Nash Equilibrium if TTi(xi, X-i) > TTi(xi,X-i),Vxi € Xi,Vi. 
Xi is set of all possible actions player i can take. This condition means that Nash Equilibrium is such that no player 
can benefit from unilateral deviations. 



m&x{P l ■ jV*((l + a)P) - C\N\(l + a)P)} 



C^N'i-)) = FC + VC(N\-)) 



(28) 
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Optimal price MSSPi should charge solves the following first order condition of the maximiza- 
tion problem w.r.t P % : 

■ dNH-) dNU-) 
N*(.) + P l ^-{1 + a) = C\N\.))°-^l(l + a) (29) 

Divide both sides of equation d29l with 9 Qpi (1 + a) and rearrange terms, we get: 

where r] 1 = — (dN' l (-)/N l )/(dP l /P l ), which represents percentage change in demand due to 
percentage change in price, the price elasticity of vendor i's demand. It measures how sensitive 
market demand changes with price. Because dd(-) / d(P) < 0(demand and price move in opposite 
directions), a negative sign is added so that i] > 0. 

solving P % from optimizing condition (l30b . P l is a function of P~ l , a and r]\ 

P i = r(p-\a,r]) (31) 

Equation (l3TT) can be viewed as response function of MSSP i on prices of other security MSSPs 
P~ l . Therefore, for all MSSPs on the market, i = 1, . . . , V, we can form a equation system: 



P 1 =r{p-\a,r)), 
P 2 = r(p- 2 ,a, V ), 

P v = r(p- y ,a,ri) (32) 

The Nash Equilibrium of this price competition is a price vector (strategies) that solves the 
above equation system and a corresponding vector of profit(payoffs). Under regularity conditions, 
this equilibrium price vector exists and is unique lfLUl . 

To give an idea how this Nash Equilibrium price look like, we present a graphic solution for 
the simplified case when V = 2. Then optimization conditions d32l reduce to the following: 



P 1 = r(P 2 ,a,r]) 

P 2 =r(P 1 ,a,r)) (33) 
To make things easier, we make two more assumptions: 

• A4. Marginal cost C-(-) is constant, i.e. it costs MSSP i same amount of money to serve one 
additional buyer. 

• A5. Q( P T/p-i) > 0, meaning, as MSSP i's service becomes more expensive relative to 

services of other MSSPs, demand for MSSP i's service become more elastic. In other word, 

a same percentage increase in P l will induce greater percentage reduction in N % for higher 
pi I p-i t j ien i ower 
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(a) Nash Equilibrium prices when (b) Nash Equilibrium prices when 

a = a > 



Figure 1 : Effect of transaction cost on equilibrium price 

Two response curves P l = r(P~\ a,i]),i = 1,2 are plotted in figure 1 where the horizon- 
tal axe represent MSSP l's price and the vertical axe represent MSSP 2's price. Under A4 and 
A5, Feenstra[8| showed that both reaction curves have positive slopes. Then slope of MSSP l's 
response curve is larger than slope of that of MSSP 2's as shown in FigUJa). 

Because response curve is the locus of MSSP's best responses given the other MSSP's action, 
the intersection point E is the equilibrium point where both MSSPs are are choosing optimally 
and simultaneously. By definition, they are the Nash Equilibrium prices. Observe that this Nash 
Equilibrium is a stable equilibrium in the sense that no matter what price the MSSPs start off with, 
they will eventually arrive at point E, as shown by the arrows in Figda). 

Denote price vendor % would charge by Pq when there is no transaction cost(a = 0), from 
equation system (l33l . 

P* = r(p-\a = 0, V ) ,i = l,2 (34) 
Totally differentiate optimization condition (l30b . 

dPHl-—-^ -) + P i .J 11 ' , +P' . da - = C"(N(-)) (35) 

V rf(l + a) ; r/ j2 (l + a) rf(l + a) 2 K y " V 



By A4 



Equation (1351) implies: 



C"(N(-)) = (36) 



dP\l - + -^-) = -P'-^—, (37) 

v rf(l + a) 7] l (l + a) J 7] l (l + a) 



Assume: 
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. A6. §Jft > l- v i (l + a) 



Under assumption ( 14.3.21 ). 



1 - 



1 



+ 



d tf I if 
dP i jP i 



> 



(38) 



n 



+ a 



n 



<Hl + a 



Equation (l37T) implies 



da > =>• dP* < 



(39) 



This shows that when transaction cost increases, MSSPs reduce their prices correspondingly. 

Graphically, the reaction curve P 1 = r(P 2 , a, rf) shifts to the left and P 2 = r(P 1 , a, rf) shifts 
down, therefore, compare with the reaction curves when there is no transaction cost. As shown 
in Figure-[TJb), reaction curves with transaction cost intersect at lower price level for both MSSPs. 
Remember that the intersection of reaction curves is the Nash Equilibrium of the game. 

As shown above, under assumptions 1-6, existence of transaction cost reduces prices charged 
by MSSPs. The extend of reduction depends on how sensitive market demand is to prices. 



Empirical works on this issue were mostly done with surveys. Ang and Straub (1998) performed 
a well designed survey on banks of different sizes with items measuring degree of IT outsourcing, 
production cost advantage, transaction cost, financial slack (archive data also used here) outsourc- 
ing degree and firm size. And they found that production cost advantage is the main driving force 
of IT outsourcing, transaction cost dampens outsourcing intention, but has a much smaller effect. 
They also reported evidence that degree of IT outsourcing decreases with firm size. They argued 
that this is because large firms are more likely to generate economies of scale in their IT depart- 
ment, therefore are more likely to produce IT services in-house. Lacity and Willcocks (1998) 
measures success or failure of a IT outsourcing based on seven factors, and found that outsourcing 
scope, length of contract term, contract type are among the most important factors that decides 
how successful an IT outsourcing is. Poppo and Zenger (1998) includes technological uncertainty, 
measurement difficult and quality satisfaction in their model, and showed that when it is harder to 
measure performances, firm become less satisfied with costs. Ang and Cummings (1997) found 
empirical evidence that in hyper-competitive environments, not only firms act strategically, but 
security vendors also. 

5.2 Analytical Work 

Analytical papers on the other hand have a strong game theoretic flavor. Mieghem (1999) built a 
multivariate, multidimensional competitive model, and investigated effect of subcontracting com- 
plexity on coordination. 

Ang and Cummings argued that organizations respond strategically under hyper-competitive 
environments. Whang employed a game theoretical approach to explain asymmetric information 
and incentive compatible issue in software development. 



5 Related Work 



5.1 Empirical Work 
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6 Conclusion 



Security outsourcing market benefits both vendors and buyers if it works properly. In the first place, 
security outsourcing offers cost reduction for buyers. We showed that for security outsourcing, 
optimal form of contract should be performance-based. Also, we showed that with transaction 
cost, price paid to MSSPs are lower than otherwise. MSSPs take part of the transaction cost to 
stimulate demand. 
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